DHCP log analysis software ?

Gordon A. Lang glang at goalex.com
Sat Jun 18 23:09:16 UTC 2011 

Thanks for the feedback.

I do already use syslog-ng, which can help, but the analysis I am wanting is 
for making graphs and statistical reports based scopes of interest that are 
not known in advance, and so I always want to log all DHCP activity, and 
then extract the interesting cross section after the fact, and then produce 
reports and graphs from it.

--
Gordon A. Lang

----- Original Message ----- 
From: "Randy Gordey" <gordey at stdio.com>
To: "'Users of ISC DHCP'" <dhcp-users at lists.isc.org>
Sent: Saturday, June 18, 2011 4:57 PM
Subject: RE: DHCP log analysis software ?


> Hoping to cut down on some of your coding and debugging time... I use
> syslog-ng to parse DHCP messages out of /var/log/messages and either 
> forward
> them to my central logging server or at the log server put them in
> /var/log/dhcpd.log. One file to examine. You could also put all logs in a
> sub directory by machine like /var/log/dhcp/192.168.1.1.dhcp.log with
> syslog-ng just as easy.
>
> -----Original Message-----
> From: dhcp-users-bounces+gordey=stdio.com at lists.isc.org
> [mailto:dhcp-users-bounces+gordey=stdio.com at lists.isc.org] On Behalf Of
> Gordon A. Lang
> Sent: Saturday, June 18, 2011 8:08 AM
> To: dhcp-users at isc.org
> Subject: DHCP log analysis software ?
>
> I was thinking about writing a program to analyze my DHCP logs.
> I think it was be very useful to have a filter program that accepts
> a raw syslog stream that includes messages from all servers of
> interest, collects and normalizes the DHCP messages, selects
> interesting messages using a regular expression, and provides
> a set of parameters every <n> seconds.  The set of parameters
> would include:
>   1. Number of DISCOVER's
>   2. Number of REQUEST's
>   3. Number of OFFER response times less than <t1>
>   4. Number of OFFER response times between <t1> and <t2>
>   5. Number of OFFER response times between <t2> and <t3>
>   6. Number of OFFER response times greater than <t3>
>   7. Number of ACK response times less than <t4>
>   8. Number of ACK response times between <t4> and <t5>
>   9. Number of ACK response times between <t5> and <t6>
>  10. Number of ACK response times greater than <t6>
>
> I am picturing the output of the filter could be fed into another
> filter that could produce moving averages of DISCOVER and
> REQUEST rates as well as moving averages of each of the
> four response time occurrence rates for OFFER's and ACK's.
>
> I would also like to see the filter use knowledge about the failover
> pairs and pool associations for each to report events on a per
> pool basis -- things like pool depletion, excessive pool
> balancing, persisting pool imbalance, broadcast packets going
> to one server but not the other, packets going to the wrong server,
> server providing responses when the response was supposed
> to come from its partner, and whatever else.
>
> But it occurred to me that there is probably something out there
> already written and debugged, so why reinvent the wheel?  And
> besides, a program like this would take a lot more time than I
> have available right now, and I could really use something today.
>
> Does anyone know of something available?
>
> --
> Gordon A. Lang
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list